sfv

1 Aug 2014 9:30 AM

sv

Skjalg

23 Sep 2014 8:55 AM

Nice piece of work Murat.
I am trying to look into LDAP Communications, but am having trouble getting the packets decrypted - all I get is "Application Data" with "Encrypted Application Data" under the SSL portion of the packet.
No Clear text here :-(

I have tried specifying the port as "636" or "start_tls" under the RSA-keys list in Wireshark.
The trace is captured from the server side of communications.

I have also verified that the Client Key Exhange is part of my trace - and I am using the private key of the server (exported as per your instructions).

Any idea what I am doing wrong?
Any and all help appreciated :-)

Murat

15 Oct 2014 10:42 AM

Thank you Skjalg

Possibly the LDAP payloads are also encrypted (with NTLM/Kerberos session key negotiated at the initial authentication phase) inside the SSL/TLS channel so even if you decrypt the SSL/TLS session, you will still not be able to see the LDAP payloads. TO be able to see LDAP payloads unecnrypted, you may want to give the following post a try:

http://blogs.msdn.com/b/spatdsg/archive/2008/08/12/ldap-client-tracing.aspx

Hope this helps

Thanks,
Murat